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Abstract 

Given an elliptic curve E over a finite field ¥ q of q elements, we 
say that an odd prime I \ q is an Elkies prime for E if t 2 E — Aq is 
a square modulo £, where is = q + 1 — #E(W g ) and #E(F q ) is the 
number of F^-rational points on E; otherwise I is called an Atkin 
prime. We show that there are asymptotically the same number of 
Atkin and Elkies primes I < L on average over all curves E over ¥ q , 
provided that L > (log q) £ for any fixed e > and a sufficiently large q. 
We use this result to design and analyse a fast algorithm to generate 
random elliptic curves with #E(F P ) prime, where p varies uniformly 
over primes in a given interval [x, 2x\. 
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1 Introduction 



Let W q be a finite field of q elements. For an elliptic curve E over ¥ q we 
denote by #E(W q ) the number of F g -rational points on E and define the 
trace of Frobenius tE = q + 1 — #E(F q ); see [21 [25] for a background on 
elliptic curves. We say that an odd prime £ \ q is an Elkies prime for E if 
t% — 4q is a quadratic residue modulo £\ otherwise £ \ q is called an Atkin 
prime. For any elliptic curve over a finite field, one expects about the same 
number of Atkin and Elkies primes £ < L as L — > oo. 

These primes play a key role in the Schoof- Elkies- Atkin (SEA) algorithm, 
see [21 §17.2.2 and §17.2.5], and their distribution affects the performance 
of this algorithm in a rather dramatic way. Thus we define N a (E; L) and 
N e (E; L) as the number of Atkin and Elkies primes I in the dyadic interval 
£ G [L, 2L] for an elliptic curve E over ¥ q , respectively. We clearly have 

N a (E; L) + N e (E; L) = n(2L) - vr(L) + 0(1), 

where ir(L) denotes the number of primes £ < L, and one expects that 

N a (E; L) ~ N e (E; L) ~ 1 (tt(2L) - tt(L)) , (1) 

as L — >■ oo. 

Under the Generalised Riemann Hypothesis (GRH), using the bound of 
quadratic characters over primes, it has been noted by Galbraith and Satoh 
that (pQ) holds for L > (logg) 2+e for any fixed e > and q — > oo; see [221 
App. A], and also [T2"l Prop. 5.25] or [2U Ex. 5. a in §13.1]. However, the 
unconditional results are much weaker and essentially rely on our knowledge 
of the distribution of primes in arithmetic progressions; see [T2~l §5.9] or [2~T[ 
Ch. 4 and 11]. 

Here, we study the values of N a (E; L) and N e (E; L) on average over all el- 
liptic curves E over ¥ q . Let £ q be any set of representative of all isomorphism 
classes elliptic curves over ¥ g . 

Theorem 1. For any integer v > 1 ; we have 
N*(E;L)--(n(2L)-n(L)) 

= O (7i(2L) u log g(log log q) 2 + n(2L) 2u q-^ 2 L u log L) , 
where N*(E; L) is either N a (E; L) or N e (E; L). 
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For an appropriate choice of v we obtain from Theorem [TJ a nontrivial 
result in the range 

(logg) £ <£<g 1/2 (logg)- 1/2 - £ , 

for any fixed e > and all sufficiently large q. This range includes values 
of L that are much smaller than those addressed by the result of Galbraith 
and Satoh for any particular elliptic curve, even under the GRH. 

In many applications it is more convenient to consider curves given by 
the family of short WeierstraB equations 

E a y. Y 2 = X 3 + aX + b, (2) 

where a and b run through ¥ q , with gcd(g, 6) = 1, and satisfy 4a 3 + 27b 2 ^ 0. 
Since there are 0(p) pairs (a, b) G F 2 for which E a ^ lies in a given isomor- 
phism class, we easily derive from Theorem [1] the following corollary. 

Corollary 2. For any real e > and integer C > 1, for a sufficiently large 
prime p and L > (\ogp) e there are at most p 2 (\ogp)~ c pairs (a,b) G F^ for 
which 4a 3 + 27b 2 ^ and 

N*(E;L) < ^(tt(2L)-7t(L)), 

where N t (E;L) is either N a (E; L) or N e (E; L). 

As an application of Corollary [21 in Section [5] we present Algorithm [2j 
which efficiently generates a random elliptic curve of prime order. Given an 
integer x > 3, we seek a uniformly random element of the set T{x) of all 
triples (p,a,b), where p is a prime in the interval [x,2x], while a and b are 
elements of F p for which the elliptic curve E a ^ in (J2J) has a prime number of 
F p -rational points. This problem arises in cryptographic applications of el- 
liptic curves, where one typically requires a curve with prime (or near prime) 
order, but wishes to choose a curve that is otherwise as generic as possible. 

We show that the output and complexity of Algorithm [2] (see Section \5§ 
satisfy the following: 

Theorem 3. Given a real number x > 3, Algorithm [H outputs a prime 
p G [x,2x] ; two elements a, b G F p; and N = j^E a ^{¥ p ), where N is prime 
and (p,a,b) is uniformly distributed over T(x). Assuming the GRH, the 
expected running time of Algorithm^ is 0((loga;) 5 (loglogx) 3 log log log x) . 
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2 Preparations 



We recall the notations U = 0{V), V = Q(U), U < V and V > U, which 
are all equivalent to the statement that the inequality \U\ < c V holds asymp- 
totically, with some constant c > 0. We also write U = 0(V) to indicate that 
\U\ < ^(log^) ^). Throughout the paper, any implied constants in these 
symbols may occasionally depend, where obvious, on the integer parameter 
v > 1 and the real parameter e > 0, and are absolute otherwise. We always 
assume that I runs though the prime values. 

Let us first recall some known facts about elliptic curves, which are con- 
veniently summarised by Lenstra [15] . In particular, we need the following 
well-know asymptotic estimate on the cardinality of j^£ q ] see [T51 §1.4] for 
gcd(g, 6) = 1, [HI Thm. 3.18] for 2 | q, and [13] for 3 | q. 

Lemma 4. We have 

#£ q = 2q + 0(l). 

Furthermore, let f q (t) be the number of isomorphism classes of curves E 
over F q with = t. Lenstra gives in [T5J Prop. 1.9] the following upper 
bound on f q (t), which we formulate together with the Hasse estimate on 
possible values of t; see [151 Prop. 1.5] or [2] [25]. 

Lemma 5. We have 

f (t) « { °' lf I*' > 2gV2 ' 

We also need some results on multiplicative character sums. More pre- 
cisely, we concentrate on the sums of Jacobi symbols (a/b); see [T21 § 3.5]. 
Let us first consider complete sums. 

Lemma 6. For any integer a and a product m = i\ . . . £ s of s distinct odd 
primes £±, . . . ,£ s with gcd(a, m) = 1 we have 



m— 1 / ,-, 

r — a 



E 

t=o 



711 



1. 



Proof. We use the following special case of the well-known identity for sums 
of Legendre symbols with quadratic polynomials see [T7| Thm. 5.48]: 



e-i 

E 

t=o 
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for any prime £ f a. Applying the multiplicativity of complete character 
sums, see [121 Eq. 12.21], completes the proof. □ 

The following estimate is a slight generalisation of [HI Lem. 2.2]. 

Lemma 7. For any integers a and T > 1 and a product m = £\ . . . £ s of 

s > distinct odd primes £i, . . . , £ s with gcd(a, m) = 1 we have 



( t -^-) « T/m + C s m 1 ' 2 log 



m, 



\t\<T 

for some absolute constant C > 1. 

Proof. The result is trivial when s — 0, that is, when m = 1 

For s > 1, as in [15] . we note that the Weil bound applied to the mixed 
sums of additive and multiplicative characters with polynomials, of the type 
given in [T2], Eq. 11.43], and the multiplicativity of complete character sums, 
see [121 Eq. 12.21], imply that 



y ( l^) exp ( 2m -) « C s m 1 / 2 

fr^ V m J V m J 

holds for any integer A and some absolute constant C > 1. Using the standard 
reduction between complete and incomplete sums (see [J2~l § 12.2]), we derive 
that for any integer K and any positive integer L < m we have 

( t ^ 1 ) exp (ivi—} « ^m 1 ' 2 logm. (3) 



Separating the summation range over t into 0(T/m) intervals of length m 
(and using Lemma O for the sums over these intervals) and at most one 
interval of length m (and using ((2]) for the sums over these intervals), we 
obtain the desired result. □ 

Finally, for any integer n we denote by u^in) the number of primes in 
the interval [L, 2L] that divide n. 

Lemma 8. For L > 3 and any integer v > 1, we have 
E ^(t 2 - a) « + 



logL (logL)"" 
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Proof. We have 



E ^ 

\t\<T 



-«> = E 

|t|<T 



/ \ 

E 1 

L<£<2L 
\ i\t 2 -a / 



E E i- 

L<t x ,...t v <2L \t\<T 

km [4 ,...,£„] It 2 -a 



By the Chinese remainder theorem, for any squarefree m > 1 we have 



E 1 < 2 j (T/m+ 1) 



\t\<T 
m\t 2 —a 

where j = u(m) counts the prime divisors of m. Now, for each j = 1, . . . , v 
we collect together the terms such that among £i,...£ u < L, only are j 
distinct. We then obtain 



\t\<T j=l L<£ 1 ,...,l ] <2L V 1 ' ' ' 3 



+ 1 



< 



i( T ( e iY+*w 

j=l \ \L<£<2L / 



Applying the Prime Number Theorem completes the proof. 



□ 



3 Proof of Theorem Q] 

Clearly, we have 

N a (E;L)-N e (E-L)= E (^^) + O (u L (^ E - 4q) + l) t 

where, as before, wz,(n) denotes the number of primes I e [L, 2L] with £ | n. 
Therefore, 
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where as before N^i^E; L) is either N a (E; L) or N e (E; L) and 

2v 



Ee£„ 



E 



L<£<2L 



and V v = 0Ji{Aq — £ 



2 \2i/ 



By Lemma 



|<|<2g 1 /2 



E 

L<£<2L 



t 2 -Aq 



2v 



< g 1/2 logg(loglogg) 2 

|t|<2g!/2 L<£<2L 

where is defined as in Section |2j Furthermore 

2i/ 



t 2 - 4<? 



2;/ 



(5) 



E 

|t|<2< ? 1 /2 



E 

L<£<2L 



r -Aq 



E E 

3<£ 1) ...,^ 2l ,<i |t|<2< ? 1 /2 



t 2 -4g 



^1 • • .*2v 



For every j = 0, . . . z/ let Qj be the set of 2z/ tuples . . . , £ 2 i/) of primes 
with L < £i, . . . ,£ 2u < 2L such that the product r = £ x . . . t 2v is of the form 
r = /c 2 m, with m squarefree and k the product of j primes. 

For the cardinalities of these sets we clearly have 

#e, « M2L) - ad?-' « j^j. 

Using Lemma [7] for . . . , £ 2i /) £ Qj, j = 0, . . . , v, we obtain 



E 

|t|<2 9 1 /2 



E 

L<£<2L 



t 2 - Aq 



2v 



« #Qi(<l 1/2 /L 2v ~ 2j + L v ~ j log L) 

3=0 

L 3u-2j 



«Ek 



i=o 



1/2 _ 



< q 



1/2 _ 



(logL) 



+ 



2^-i 



L 



+ 



3i/ 



(logL) 



2z/-j-l 



(log L) v (logL) 2 "- 1 ' 
Inserting this bound in (jSJ), we obtain 

L" L 3u 



U v < g 1/2 logg(loglogg) 2 g 1 



1/2. 



(logL)" (logL) 2 ^" 1 



(6) 



Finally, by Lemma M we have 



V v < q 1/2 log g(log log qf 



g l/2 L 2u 



) 



(7) 



logL (logL) 



Substituting ([6]) and (J7J) in (jlj) and recalling Lemma HJ we conclude the 
proof. 

4 Point Counting on Random Elliptic Curves 

We now consider the problem of generating a random elliptic curve whose 
group of Fp-rational points has prime order. One approach is to fix the 
prime p, and then count points on randomly generated elliptic curves over ¥ p 
until a curve with prime order is found. Using the SEA point-counting algo- 
rithm, this procedure heuristically has an expected running time of 0(n 5 ), 
where n = log p. However, for a fixed prime p, we cannot hope to prove even 
a polynomial time bound, because even under the GRH the Hasse interval 
[p — 2y / p, p + 2^/p] is too narrow to permit a useful lower bound on the num- 
ber of primes it contains. Thus we let p vary over an interval [x, 2x] , which 
at least makes a polynomial-time bound feasible; see [14] . 

A second obstacle to obtaining an 0(n 5 ) expected time bound is that the 
expected running time of the SEA algorithm is not known to be polynomial 
in n, unless we assume the GRH. Even with the GRH, the expected running 
time of the SEA algorithm on any particular curve is only bounded by 0(n 5 ), 
yielding an 0(n 6 ) bound overall. However, for randomly generated curves, 
Theorem [TJ yields a tighter bound, on average, allowing us to prove an 0(n 5 ) 
bound on the expected time to find a curve of prime order, under the GRH. 

We first present an algorithm that attempts to count the points on the 
elliptic curve E a ^ modulo p, using a simplified version of the SEA algorithm 
that relies only on Elkies primes. In the course of doing so, the algorithm may 
discover that p is composite (using the Miller- Rabin algorithm [19]), or that 
the curve E a ^ is singular modulo p, and in either case it outputs 0; otherwise, 
it returns a positive integer N in the Hasse interval [p — 2y/p,p + 2y/p\- If p 
is in fact prime (and E a ^ is not singular), then N is equal to ^E a ^{¥ p ). 

Algorithm 1. Point- counting modulo p using Elkies primes. 

Input: An integer p > 3 and integers a, b G [0,p — 1]. 
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Output: A positive integer N G [p — 2^fp, p + 2^/p] with H^E a ^{¥ p ) = N if p 
is prime and 4a 3 + 21h 2 ^ mod p, and otherwise. 

1. In parallel to the steps below, repeatedly test p for compositeness us- 
ing the Miller- Rabin algorithm [19]. If at any point p is found to be 
composite then output and terminate. 

2. If gcd(4a 3 + 27b 2 , p) ^ 1 then output and terminate. Otherwise, set 
J^ 1728 i ^modp. 

3. Test whether E = E a b modp is supersingular using [261 Alg. 2]. 
If so, then output p + 1 and terminate. 

4. Set i <— 0, M <— 1, and for primes £ = 2, 3, 5, . . ., do the following: 

(a) Compute the modular polynomial $>i(X, Y) using [5J Alg. 1]. 

(b) Compute <f>(X) = ®t{j,X) and /(X) = gcd(X p - X,<j>{x)) in the 
ring (Z/pZ)[X]. If deg/ = then proceed to the next prime I. 

(c) Find a root J of f{X) modulo p. 

(d) Compute the Elkies polynomial h(X) whose roots are the abscis- 
sae of the points in the kernel of the £-isogeny from E to a curve 
E with j -invariant 

(e) Using h, determine the integer AG [1,^ — 1] for which the p-power 
Frobenius action on ker0 is equivalent to multiplication by A. If 
no such A exists then output and terminate. 

(f) Set % <- i + 1, £i <- £, M <- Me, and U <- A + p/X mod £. 

(g) If M > A^/p then proceed to Step 5. Otherwise, continue Step 4. 

5. Compute the unique integer t G [— M, M] for which t = U mod i{ for 
each Elkies prime £{. If \t\ > 2^/p then output 0, otherwise, output 
N = p + l-t. 

We note that the algorithm is not in any sense required to be "correct" 
when p is composite, it may output either or any integer N in the Hasse 
interval in this case. The Miller- Rabin tests begun in Step 1 of Algorithm [T] 

1 The special case (d$eJdX)(j,j) = (d$>i/dY)(J,j) — must be handled separately, see 
the proof of Lemma [9] for details. 
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are there simply to ensure that composite p are handled efficiently. This is 
necessary since the rest of the algorithm, operating on the assumption that p 
is prime, may run extremely slowly or even fail to terminate if p is composite. 

Assuming that p is prime, the value j computed in Step 2 is the j-invariant 
of the elliptic curve E = E a ^ over F p . The classical modular polynomial $^ 
parametrises pairs of £-isogenous elliptic curves; the roots of <&i(j(E), X) are 
the j-invariants of the curves E that are related to E by a cyclic isogeny of 
degree £. There exists such an elliptic curve E defined over ¥ p precisely when 
£ is an Elkies prime for E, thus Elkies and Atkin primes are distinguished 
in Steps 4b and 4c, which attempt to find a root of <&t(j(E), X) in F p . 
Steps 4c-4f then apply the standard SEA procedure for computing the trace 
of Frobenius modulo an Elkies prime £, as described by Schoof in |24j . 

We now consider the complexity of Algorithm [TJ We use the asymptotic 
bound O (n log n log log n) of Schonhage and Strassen [23] to bound the time 
M(n) to multiply to n-bit integers (see also [9]), and note that all of our 
complexity estimates count bit operations. 

Lemma 9. Let n = [logp] and assume the GRH. For composite p, the 
expected running time of Algorithm^ is 0(n 2 log n log log n) . For prime p, 
the average expected running time of Algorithm^ over integers a, b G [0,p— 1] 
is 0(n A (log n) 2 log log n) . 

Proof. We expect to detect a composite p using 0(1) Miller- Rabin tests, 
each of which has complexity 0(nM(n)) = 0(n 2 logn log logn), the time to 
perform an exponentiation modulo p. This proves the first claim. 

We now assume p is prime. The complexity of Step 2 is 0(M(n) logn), 
and Step 3 runs in 0(n 3 logn log logn) expected time; see [261 Prop. 4]. 

Let m be the largest prime £ used in Step 4. We have logM > n/2 thus 
by the Prime Number Theorem, m 3> n. Ignoring constant factors, we may 
use m as an upper bound on both £ and n. Table [T] estimates the costs 
of Steps 4a-4f in terms of £ and n, and also gives bounds in terms of m. 
We use standard asymptotic bounds on the complexity of (fast) arithmetic 
operations in Z/pZ and Z/pZ[A], all of which can be found in |J]H 

In Step 4a we use the isogeny volcano algorithm of [5] to compute the 
modular polynomial and it is here that we need to assume the GRH. In 

2 Some of these bounds can be improved by using Kronecker substitution to multiply 
polynomials in Z/pZ[X], but this does not change the overall complexity 
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Table 1: Complexity bounds for Step 4 of Algorithm [T] 

step result expected time 0{- ■ ■ ) in terms of m 

(a) &e(X, Y) £ 3 (\og£) 3 loglog£ m 3 (log m) 3 log log m 

(b) 4>(X) £ 2 M(£\og£ + n) m 3 (logm) 2 log logm 
X p mod nM(£)M(n) m 3 (log m) 2 (log log m) 2 
/(X) M(£)M(n)log£ + £M(n)logn m 2 (logm) 3 (log logm) 2 

(c) j M(£)M(n)n m 3 (logm) 2 (log logm) 2 

(d) h(X) £ 2 M(n) + M(n)£logn m 3 log m log log m 

(e) A M(£)M(n)n + M(£)M(n)£ m 3 (logm) 2 (log logm) 2 

(f) ti £M (log f) log log £ m logm (log logm) 2 
M M (n + log £) m log m log log m 



the complexity bound for Step 4d we include the cost of computing and eval- 
uating various partial derivatives of $^ modulo p, and use Elkies' algorithm 
to compute the kernel polynomial h(X); see [7] and [SI Ch. 25] for details, 
and [1] for further optimizations. In the complexity bound for Step 4e, the 
first term bounds the time to compute the action of Frobenius on ker (this 
involves computing X p and Y v modulo h and E a ^), while the second term 
bounds the time to compute the action of multiplication by A on ker0 for 
every integer A in [1,£ — 1]; see [TU] for details and optimizations. 

The cost of Steps 4a-4f is dominated by the 0(m 3 (logm) 3 log logm) cost 
of Step 4a, which also dominates the cost of Steps 2, 3, and 5, the last of 
which has complexity 0(M(m) logm). The number of iterations in Step 4 
is at most 7r(m) = 0(m/logm), thus when p is prime, the total expected 
running time of Algorithm [T] is 0(m 4 (logm) 2 log logm). 

To address the special case (d$t/dX)(j,j) = (d§e/dY)(j,j) = 0, we note 
that, as explained by Schoof in J2H pp. 248-249], there are then only 0(£ 2 ) 
possible values for N. For p > 229, only one of these candidates satisfies 
Mestre's theorem [241 Thm. 3.2]. By multiplying random points on E ai b(¥ p ) 
and its quadratic twist by each of the candidate values for N, we can uniquely 
determine N in 0(£ 2 nM(n)) = 0(m 4 logm log logm) expected time, which 
is dominated by the bound we derived above (and for p < 229 we can simply 
enumerate the elements of E a fi(¥ p ) by brute force). 

We now notice that by Corollary (j5J) and the Prime Number Theorem we 
have m <n for all but 0(p 2 n~ 3 ) pairs (a, b) 6 F 2 for which, by the result of 
Galbraith and Satoh [2"2"| App. A], we have m n 3 . 
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Thus if we average over all integers of a, b in [0,p — 1] for a fixed prime p, 
then the expected value of m is 0(n), which completes the proof. □ 



5 Proof of Theorem [3 

The proof is based on the analysis of the following procedure: 

Algorithm 2. Generation of a random elliptic curve with a prime number 
of rational points over a finite field. 

Input: A real x > 3. 

Output: A prime p G [x, 2x], a,b G F p , and N = #E a b (W p ) prime. 

1. Pick a uniformly random integer p in the interval [x, 2x}. 

2. Pick uniformly random integers a, b G [Q,p— 1] and apply Algorithm [1] 
to E a ^ mod p, obtaining N. If Algorithm [1] finds that p is composite 
or that p|(4a 3 + 27b 2 ) then return to Step 1. 

3. Apply [logx] Miller- Rabin tests to both p and N. If either p or N is 
found to be composite then return to Step 1. 

4. Determine the primality of p and N using a randomized AKS algo- 
rithm [3J. If N and p are both prime, then output p, a, b, and N, and 
terminate. Otherwise, return to Step 1. 



The Miller-Rabin algorithm [19] attempts to prove that a given integer p 
is not prime (that is, composite) via a sequence of independent random tests, 
each of which detects a composite p with probability at least 3/4. Thus the 
probability that the algorithm reaches Step 4 when N is composite is less 
than 1/ logx. The primality testing algorithm used in Step 4 is a randomized 
version of the Agarwal-Kayal-Saks algorithm [TJ due to Bernstein [3], and 
determines whether N is prime or composite in 0(n A+£ ) expected time, for 
any e > 0. 

We now put n = [logx] and show that the expected running time of 
Algorithm [2] is 0(n 5 (logn) 3 log log n). 

Step 2 of Algorithmic calls Algorithm[T]with parameters chosen uniformly 
at random from the set T(x) of triples (p, a, b) with x < p < 2x and < 
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a,b < p, which has cardinality 0(x 3 ). Let S(x) denote the subset of T(x) 
consisting of those triples (p,a,b) for which both p and iV = #E a)b (F p ) are 
prime (and p\ (4a 3 + 276 2 ), which we assume throughout). 
We first show that the cardinality of S(x) satisfies 

3 

#S(X) » J. r^— : • (8) 

(logx) z log log a; 

By [HI Lem. 1], the number of pairs of primes (p,N) with x < p < 2x 
and p — y/p < N < p + y/p is Vl{x 3 ^ 2 / (\ogx) 2 ). For each such pair (p,N), 
the number of pairs (a, 6) with < a, b < p for which ^E a ^{¥ p ) = N is 
\{p — l)H(D), where D = (p + 1 — iV) 2 — 4p, and H(D) denotes the Hurwitz 
class number, see [HI Thm. 14.18]. Let D = vD , where D is a fundamental 
discriminant. By [27J Lem. 9], we have H(D) > vH(D ) > ^vh(D ), and 
the GRH implies 

MA))» log log | A) I, 

where h(Do) is the usual class number, by a theorem of Littlewood [16]. It 
follows that 

H(D) > vT^I/loglogpl > Vx/ log log x, 

see also comments in [T5| Section 1.6]. Therefore, there are il(x 3 ^ 2 / log log x) 
pairs (a, 6) with ^E a ^{¥ p ) = N and VL(x 3 l 2 / (\ogx) 2 ) pairs of primes (p,N), 
which implies (|8]). 

Thus we expect to generate 0((logx) 2 loglogx) = 0(n 2 logn) random 
triples (p, a, b) in order to obtain a triple for which p and iV = ^E a ^{¥ p ) are 
both prime. Once this occurs, the algorithm successfully completes Steps 2-5 
and terminates. We now consider the cost of processing each random triple, 
which we divide into 3 cases. 

1. If p is composite, the expected cost of Step 2 is 0(n 2 lognloglogn), 
by Lemma HI which also bounds the complexity of Step 3 (assuming 
it is reached), since we actually expect to discover that p is composite 
using just 0(1) Miller-Rabin tests. The probability of reaching Step 4 
is less than 4~ logx = 0(l/x), by [19] . which makes the conditional cost 
of Steps 4 and 5 in this case completely negligible, since they both have 
expected running times that are polynomial in logx. 

2. If p is prime and iV is composite, the expected cost of Step 2 given by 
Lemma is 0(n 4 (logn) 2 log log n), which dominates the complexity of 
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Step 3 and the conditional cost of Step 4 (which, as in Case 1, we have 
negligible probability of reaching). 

3. If p and N are prime, the expected costs of Steps 2, 3, 4, and 5 are, 
respectively, 0(n 4 (logn) 2 log log n), 0(n 3 log n log log n), 0(n 4+e ), and 
O (n 2 log n log log n) ; see [3] for the bound on Step 4. Thus the total 
expected cost is 0{n A+e ) for any e > 0. 

We now bound the expected running time of Algorithm [2] by considering 
how often we expect each case to occur. We expect to be in Case 1 for 
0(n 2 logn) triples, each of which takes 0(n 2 log n log log n) time, yielding a 
total bound of 0(n 4+e ). We expect to be in Case 2 for 0(n log n) triples, each 
of which takes 0(n 4 (logn) 2 log log n) expected time, yielding a total bound 
of 0(n 5 (logn) 3 log logn). Case 3 occurs exactly once, and takes 0(n 4+£ ) 
expected time. Case 2 dominates and the theorem follows. 

6 Comments 

The bound in Theorem [3] would be improved by a factor of log n if one 
could show that H(D) = Sl{y \D\), on average, but we have not attempted 
to do this (note that the distribution of D is not uniform). As a practical 
optimization, one can add an "early abort" option in Algorithm [1] that causes 
the algorithm to terminate if it discovers that N = mod i. Heuristically, 
this should reduce the running time of Algorithm [2] by a factor of log n. 
Another practical optimization is to reuse the modular polynomials $^ that 
are computed in Algorithm [TJ which do not depend on the inputs p, a, and b. 
This saves a factor of logn in the expected running time, but increases the 
expected space complexity from 0(n 3 logn) to 0(n 4 logn). Combining these 
two optimizations with the assumption that H(D) 3> y\D\ on average, 
yields a heuristic expected running time of 0(n 5 log logn) for Algorithm [2j 
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